I have a small web site where I sell software that I write. Payments for the registration/license codes for my software are done via PayPal. I have an automated IPN script that links to my PayPal account that processes each payment automatically and then dispatches an email to the user’s email address associated with their PayPal account, that explains how to register the software and provides a user with their personalized registration license code.
Sometimes a person who made a payment may send me a follow-up email via the feedback on my site, with the message as follows (the actual email I got today, verbatim):
My name is ______, I just bought a license from Software_Name. I bought via Paypal, but only after completing the purchase remembered that I no longer have access to the email address you are registered (gives_paypal_email_where_payment_came_from).
I would like the license was sent to another email: some_other_email_address.
How do you treat such requests? Or is there any way to verify that the person whose PayPal account was used indeed made this purchase and that someone didn’t just steal their PayPal account?